Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
50
Go
3,623
Maven
5,000+
npm
5,000+
NuGet
927
pip
4,843
Pub
13
RubyGems
1,045
Rust
1,271
Swift
53
Unreviewed advisories
All unreviewed
5,000+

1,623 advisories

Loading
netfoil's optional seccomp sandboxing was not applied Moderate
GHSA-vjgj-42f6-7997 was published for github.com/tinfoil-factory/netfoil (Go) Apr 29, 2026
Netfoil has incorrect allowlist enforcement Moderate
GHSA-84g5-x8j3-7235 was published for github.com/tinfoil-factory/netfoil (Go) Apr 29, 2026
Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters Moderate
CVE-2026-30246 was published for github.com/gofiber/fiber/v3 (Go) Apr 28, 2026
xeloxa Credited to xeloxa, gaby, and ReneWerner87 gaby gaby
ReneWerner87 ReneWerner87
Note Mark: Unauthenticated read of notes and assets in soft-deleted public books Moderate
CVE-2026-41572 was published for github.com/enchant97/note-mark/backend (Go) Apr 25, 2026
adrgs Credited to adrgs and aisafe-bot aisafe-bot aisafe-bot
gitverify has improper tag signature verification Moderate
GHSA-h829-5cg7-6hff was published for github.com/supply-chain-tools/gitverify (Go) Apr 24, 2026
Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware Moderate
CVE-2026-41263 was published for github.com/traefik/traefik (Go) Apr 24, 2026
kodareef5 Credited to kodareef5
Traefik Kubernetes CRD allows unauthorized cross-namespace middleware binding Moderate
CVE-2026-41174 was published for github.com/traefik/traefik (Go) Apr 24, 2026
tamemghq Credited to tamemghq
melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses Moderate
CVE-2026-29050 was published for chainguard.dev/melange (Go) Apr 23, 2026
1seal Credited to 1seal and antitree antitree antitree
go-ntlmssp NTLM challenges can panic on malformed payloads Moderate
CVE-2026-32952 was published for github.com/Azure/go-ntlmssp (Go) Apr 23, 2026
goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS Moderate
GHSA-rhf7-wvw3-vjvm was published for github.com/patrickhener/goshs (Go) Apr 23, 2026
Gitea has insecure default SSH settings Moderate
GHSA-3m6q-h5gj-7mrw was published for code.gitea.io/gitea (Go) Apr 22, 2026
gnzsnz Credited to gnzsnz
Nuclei: Environment variable disclosure via Response-Derived DSL Expressions Moderate
CVE-2026-41645 was published for github.com/projectdiscovery/nuclei/v3 (Go) Apr 22, 2026
gnuletik Credited to gnuletik
Nuclei: Local File Read via require() Module Loader Bypass Moderate
CVE-2026-41646 was published for github.com/projectdiscovery/nuclei/v3 (Go) Apr 22, 2026
AkashHamal0x01 Credited to AkashHamal0x01
free5GC AMF: Missing default case in Content-Type switch in HTTPUEContextTransfer Moderate
CVE-2026-41136 was published for github.com/free5gc/amf (Go) Apr 22, 2026
Giancannella Credited to Giancannella
OpenFGA has Improper Policy Enforcement Moderate
CVE-2026-41131 was published for github.com/openfga/openfga (Go) Apr 22, 2026
bugbunny-research Credited to bugbunny-research
DDEV has ZipSlip path traversal in tar and zip archive extraction Moderate
CVE-2026-32885 was published for github.com/ddev/ddev (Go) Apr 22, 2026
SnailSploit Credited to SnailSploit
Inspektor Gadget uses unsanitized ANSI Escape Sequences In `columns` Output Mode Moderate
CVE-2026-25996 was published for github.com/inspektor-gadget/inspektor-gadget (Go) Apr 22, 2026
suidpit Credited to suidpit, ndaprela, eiffel-fl, and flyth ndaprela ndaprela
eiffel-fl eiffel-fl flyth flyth
Inspektor Gadget: Command Injection via malicious buildOptions manipulation Moderate
CVE-2026-24905 was published for github.com/inspektor-gadget/inspektor-gadget (Go) Apr 22, 2026
ndaprela Credited to ndaprela, suidpit, and eiffel-fl suidpit suidpit
eiffel-fl eiffel-fl
Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion Moderate
CVE-2026-40924 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
offset Credited to offset and vdemeester vdemeester vdemeester
Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check Moderate
CVE-2026-40923 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
kodareef5 Credited to kodareef5, vdemeester, and aThorp96 vdemeester vdemeester
aThorp96 aThorp96
free5GC UDR: Fail-open handling in PolicyDataSubsToNotifyPost allows unintended subscription creation Moderate
CVE-2026-40343 was published for github.com/free5gc/udr (Go) Apr 21, 2026
Giancannella Credited to Giancannella
OpenBao's SQL Injection in PostgreSQL database secrets engine Moderate
CVE-2026-39946 was published for github.com/openbao/openbao (Go) Apr 21, 2026
jmecom Credited to jmecom
Tekton Pipelines has VerificationPolicy regex pattern bypass via substring matching Moderate
CVE-2026-25542 was published for github.com/tektoncd/pipeline (Go) Apr 21, 2026
1seal Credited to 1seal, offset, and vdemeester offset offset
vdemeester vdemeester
Amazon EFS CSI Driver has mount option injection via unsanitized volumeHandle and mounttargetip fields Moderate
CVE-2026-6437 was published for github.com/kubernetes-sigs/aws-efs-csi-driver (Go) Apr 18, 2026
go-git: Credential leak via cross-host redirect in smart HTTP transport Moderate
CVE-2026-41506 was published for github.com/go-git/go-git/v5 (Go) Apr 17, 2026
N0zoM1z0 Credited to N0zoM1z0, AyushParkara, and celinke97 AyushParkara AyushParkara
celinke97 celinke97
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database